diff options
-rw-r--r-- | paramiko/ecdsakey.py | 2 | ||||
-rw-r--r-- | paramiko/proxy.py | 4 | ||||
-rw-r--r-- | paramiko/transport.py | 27 | ||||
-rw-r--r-- | sites/www/changelog.rst | 14 |
4 files changed, 31 insertions, 16 deletions
diff --git a/paramiko/ecdsakey.py b/paramiko/ecdsakey.py index d435603d..e4f74310 100644 --- a/paramiko/ecdsakey.py +++ b/paramiko/ecdsakey.py @@ -258,7 +258,7 @@ class ECDSAKey(PKey): key = serialization.load_der_private_key( data, password=None, backend=default_backend() ) - except ValueError as e: + except (ValueError, AssertionError) as e: raise SSHException(str(e)) self.signing_key = key diff --git a/paramiko/proxy.py b/paramiko/proxy.py index d3ae436f..059ba83e 100644 --- a/paramiko/proxy.py +++ b/paramiko/proxy.py @@ -21,7 +21,6 @@ from datetime import datetime import os from shlex import split as shlsplit import signal -from subprocess import Popen, PIPE from select import select import socket import time @@ -49,6 +48,9 @@ class ProxyCommand(ClosingContextManager): :param str command_line: the command that should be executed and used as the proxy. """ + # NOTE: subprocess import done lazily so platforms without it (e.g. + # GAE) can still import us during overall Paramiko load. + from subprocess import Popen, PIPE self.cmd = shlsplit(command_line) self.process = Popen(self.cmd, stdin=PIPE, stdout=PIPE, stderr=PIPE, bufsize=0) diff --git a/paramiko/transport.py b/paramiko/transport.py index b52d3158..71d5109e 100644 --- a/paramiko/transport.py +++ b/paramiko/transport.py @@ -229,6 +229,7 @@ class Transport (threading.Thread, ClosingContextManager): } _modulus_pack = None + _active_check_timeout = 0.1 def __init__(self, sock, @@ -316,7 +317,7 @@ class Transport (threading.Thread, ClosingContextManager): # we set the timeout so we can check self.active periodically to # see if we should bail. socket.timeout exception is never # propagated. - self.sock.settimeout(0.1) + self.sock.settimeout(self._active_check_timeout) except AttributeError: pass @@ -1428,20 +1429,18 @@ class Transport (threading.Thread, ClosingContextManager): def auth_gssapi_keyex(self, username): """ - Authenticate to the Server with GSS-API / SSPI if GSS-API Key Exchange - was the used key exchange method. + Authenticate to the server with GSS-API/SSPI if GSS-API kex is in use. - :param str username: The username to authenticate as - :param str gss_host: The target host - :param bool gss_deleg_creds: Delegate credentials or not - :return: list of auth types permissible for the next stage of - authentication (normally empty) - :rtype: list - :raise BadAuthenticationType: if GSS-API Key Exchange was not performed - (and no event was passed in) - :raise AuthenticationException: if the authentication failed (and no - event was passed in) - :raise SSHException: if there was a network error + :param str username: The username to authenticate as. + :returns: + a `list` of auth types permissible for the next stage of + authentication (normally empty) + :raises BadAuthenticationType: + if GSS-API Key Exchange was not performed (and no event was passed + in) + :raises AuthenticationException: + if the authentication failed (and no event was passed in) + :raises SSHException: if there was a network error """ if (not self.active) or (not self.initial_kex_done): # we should never try to authenticate unless we're on a secure link diff --git a/sites/www/changelog.rst b/sites/www/changelog.rst index 49ddd848..f739c9fa 100644 --- a/sites/www/changelog.rst +++ b/sites/www/changelog.rst @@ -2,6 +2,20 @@ Changelog ========= +* :bug:`742` (also re: :issue:`559`) Catch ``AssertionError`` thrown by + Cryptography when attempting to load bad ECDSA keys, turning it into an + ``SSHException``. This moves the behavior in line with other "bad keys" + situations, re: Paramiko's main auth loop. Thanks to MengHuan Yu for the + patch. +* :bug:`334` Make the ``subprocess`` import in ``proxy.py`` lazy so users on + platforms without it (such as Google App Engine) can import Paramiko + successfully. (Relatedly, make it easier to tweak an active socket check + timeout [in `Transport <paramko.transport.Transport>`] which was previously + hardcoded.) Credit: Shinya Okano. +* :support:`854 backported` Fix incorrect docstring/param-list for + `Transport.auth_gssapi_keyex + <paramiko.transport.Transport.auth_gssapi_keyex>` so it matches the real + signature. Caught by ``@Score_Under``. * :bug:`681` Fix a Python3-specific bug re: the handling of read buffers when using ``ProxyCommand``. Thanks to Paul Kapp for catch & patch. * :feature:`398` Add an ``environment`` dict argument to `Client.exec_command |